Main Vulnerability Database Vulnerabilities #VU77909

Input validation error in dnsdist - CVE-2018-14663

Published: July 3, 2023

Vulnerability identifier: #VU77909

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-14663

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
dnsdist

Software vendor:
PowerDNS.COM B.V.

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing DNS queries. A remote attacker can smuggle certain DNS records into the DNS backend and perform spoofing attack. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14663
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2018-08.html

Input validation error in dnsdist - CVE-2018-14663

Description

Remediation

External links

Please verify you're human